Book Review: “Applied Network Security Monitoring”

Chris Sanders kindly sent me a review copy of Applied Network Security Monitoring, written by Sanders along with Jason Smith, David J Bianco, and Liam Randall. It’s a very solid work, with much to recommend it to IT people who either have been told to implement security monitoring or who think that they should.

Some . . . → Read More: Book Review: “Applied Network Security Monitoring”

DNSSEC-verified SSL Certificates, the Standard Way

DANE, or DNS-based Authentication of Named Entities, is a protocol for stuffing public key and or public key signatures into DNS. As standard DNS is forged easily, you can’t safely do this without DNSSEC. With DNSSEC, however, you now have an alternative way to verify public keys. Two obvious candidates for DANE data are SSH . . . → Read More: DNSSEC-verified SSL Certificates, the Standard Way

NYCBSDCon 2014 Video, and 2014 appearances

The video of my NYCBSDCon talk is now on available on YouTube.

This talk is a little rougher than most I give. I felt worn-out before I even spoke on Saturday night. I woke up Sunday morning with tonsils the size of tennis balls (which made airport security interesting, let me tell you. “No, those . . . → Read More: NYCBSDCon 2014 Video, and 2014 appearances

Running Ancient Rsync

Another “write it down so I don’t forget what I did” post.

Some of the systems I’m responsible for are file storage machines, running rsync 3.0 or 3.1 as a daemon. Every hour, an ancient Solaris machine sends files to it using rsync 2.3.1. The billing team uses these files to create bills.

Thursday, I . . . → Read More: Running Ancient Rsync

ifup-local on bridge members on CentOS

I run a bunch of CentOS 6 physical servers as QEMU virtualization devices. These hosts have two NICs, one for management and one for virtual machine bridges.

When you use Linux for virtualization, it’s important to increase the amount of memory for network transmit and receive buffers. You also need to disable GSO and TSO, . . . → Read More: ifup-local on bridge members on CentOS

Jan 2014 Java update broke me

So I’m trying to upgrade my Ansible server to the newest OpenBSD snapshot, which involves working at the console. I go to my virtual server control panel, click on the link to the Java applet, and get told that Java won’t run this application.

Turns out that Java has trusted self-signed certificates for applications until . . . → Read More: Jan 2014 Java update broke me

Ansible and PF, plus NTP

It seems that ntpd has turned into the latest DDOS amplifier. I run a lot of servers, and most of them use the standard ntp client. I need to verify that none of my servers can be used for DDOS amplification. To do this, I need to give all the clients a standard NTP configuration, . . . → Read More: Ansible and PF, plus NTP

FreeBSD authentication against Samba 4 LDAP

After years of only needing central auth for Unix-like systems, I need to integrate Windows clients into my auth mix. Rather than munging my current OpenLDAP directory to contain Windows information, I elected to migrate to Samba 4. Samba 4 can act as a Windows domain controller and also exposes an LDAP interface for Unix . . . → Read More: FreeBSD authentication against Samba 4 LDAP

FreeBSD-update seems to hang on 10.0-BETA2

I’m setting up a new FreeBSD web server. As 10.0 is just around the corner, I installed 10.0-BETA2. BETA4 is out, so it’s time to upgrade.

# freebsd-update -r 10.0-BETA4 upgrade Looking up update.FreeBSD.org mirrors… 5 mirrors found. …

That all looks good. Then I installed the update

# freebsd-update install …

And the install . . . → Read More: FreeBSD-update seems to hang on 10.0-BETA2

Moving mailboxes from Courier/Maildir to DirectAdmin/dovecot/Maildir

I have an old mail server running Postfix and courier-imap. We want to split our customers off onto their old server, preferably something with a pretty pointy-clicky interface so that they can manage their own accounts. (Yes, people do still buy email service these days.)

The old server runs FreeBSD, postfix, and courier-imap. The new . . . → Read More: Moving mailboxes from Courier/Maildir to DirectAdmin/dovecot/Maildir